NVD Vulnerability Detail

CVE-2013-4517

Summary	Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
Publication Date	Jan. 11, 2014, 10:55 a.m.
Registration Date	Jan. 26, 2021, 3:43 p.m.
Last Update	Nov. 21, 2024, 10:55 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:N/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.2:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.3:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.3.0:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.5:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.4:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.8:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.6:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.0:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java::::::::		1.5.5
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://osvdb.org/101169
2	http://osvdb.org/101169
3	http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html
4	http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html
5	http://rhn.redhat.com/errata/RHSA-2014-0170.html
6	http://rhn.redhat.com/errata/RHSA-2014-0170.html
7	http://rhn.redhat.com/errata/RHSA-2014-0171.html
8	http://rhn.redhat.com/errata/RHSA-2014-0171.html
9	http://rhn.redhat.com/errata/RHSA-2014-0172.html
10	http://rhn.redhat.com/errata/RHSA-2014-0172.html
11	http://rhn.redhat.com/errata/RHSA-2014-0195.html
12	http://rhn.redhat.com/errata/RHSA-2014-0195.html
13	http://rhn.redhat.com/errata/RHSA-2014-1725.html
14	http://rhn.redhat.com/errata/RHSA-2014-1725.html
15	http://rhn.redhat.com/errata/RHSA-2014-1726.html
16	http://rhn.redhat.com/errata/RHSA-2014-1726.html
17	http://rhn.redhat.com/errata/RHSA-2014-1727.html
18	http://rhn.redhat.com/errata/RHSA-2014-1727.html
19	http://rhn.redhat.com/errata/RHSA-2014-1728.html
20	http://rhn.redhat.com/errata/RHSA-2014-1728.html
21	http://rhn.redhat.com/errata/RHSA-2015-0675.html
22	http://rhn.redhat.com/errata/RHSA-2015-0675.html
23	http://rhn.redhat.com/errata/RHSA-2015-0850.html
24	http://rhn.redhat.com/errata/RHSA-2015-0850.html
25	http://rhn.redhat.com/errata/RHSA-2015-0851.html
26	http://rhn.redhat.com/errata/RHSA-2015-0851.html
27	http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc	Vendor Advisory
28	http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc	Vendor Advisory
29	http://seclists.org/fulldisclosure/2013/Dec/169
30	http://seclists.org/fulldisclosure/2013/Dec/169
31	http://secunia.com/advisories/55639	Vendor Advisory
32	http://secunia.com/advisories/55639	Vendor Advisory
33	http://www.securityfocus.com/bid/64437
34	http://www.securityfocus.com/bid/64437
35	http://www.securitytracker.com/id/1029524
36	http://www.securitytracker.com/id/1029524
37	https://exchange.xforce.ibmcloud.com/vulnerabilities/89891
38	https://exchange.xforce.ibmcloud.com/vulnerabilities/89891
39	https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
40	https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
41	https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
42	https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
43	https://www.tenable.com/security/tns-2018-15
44	https://www.tenable.com/security/tns-2018-15

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-399	リソース管理の問題	https://cwe.mitre.org/data/definitions/399.html

JVN Vulnerability Information

Apache Santuario XML Security for Java におけるサービス運用妨害 (DoS) の脆弱性

Title	Apache Santuario XML Security for Java におけるサービス運用妨害 (DoS) の脆弱性
Summary	Apache Santuario XML Security for Java には、Transforms を適用する場合、署名に関する処理に不備があるため、サービス運用妨害 (メモリ消費) 状態にされる脆弱性が存在します。
Possible impacts	第三者により、巧妙に細工された Document Type Definition (DTD) を介して、サービス運用妨害 (メモリ消費) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 1, 2013, midnight
Registration Date	Jan. 15, 2014, 4:26 p.m.
Last Update	Aug. 10, 2015, 4:34 p.m.

Affected System

Apache Software Foundation

Apache Santuario XML Security for Java 1.5.6 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Apache Santuario
1	CVE-2013-4517	http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc
Common Vulnerabilities and Exposures (CVE)
2	CVE-2013-4517	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4517
National Vulnerability Database (NVD)
3	CVE-2013-4517	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4517

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html

ベンダー情報

No	Name	URL
Apache Santuario
1	Apache XML Security for Java 1.5.6 release notes	http://santuario.apache.org/java156releasenotes.html
Apache-SVN
2	Revision 1537956	http://svn.apache.org/viewvc?view=revision&revision=1537956
Red Hat Bugzilla
3	Bug 1045257	https://bugzilla.redhat.com/show_bug.cgi?id=1045257
Red Hat Security Advisory
4	RHSA-2014:0195	https://rhn.redhat.com/errata/RHSA-2014-0195.html
5	RHSA-2014:0400	https://rhn.redhat.com/errata/RHSA-2014-0400.html
6	RHSA-2014:1725	https://rhn.redhat.com/errata/RHSA-2014-1725.html
7	RHSA-2014:1726	https://rhn.redhat.com/errata/RHSA-2014-1726.html
8	RHSA-2014:1727	https://rhn.redhat.com/errata/RHSA-2014-1727.html
9	RHSA-2014:1728	https://rhn.redhat.com/errata/RHSA-2014-1728.html
10	RHSA-2015:0675	https://rhn.redhat.com/errata/RHSA-2015-0675.html
11	RHSA-2015:0850	https://rhn.redhat.com/errata/RHSA-2015-0850.html
12	RHSA-2015:0851	https://rhn.redhat.com/errata/RHSA-2015-0851.html

その他

No	Name	URL
関連文書
1	Java XML Signature Denial Of Service Attack	http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html

Change Log

No	Changed Details	Date of change
0	[2014年01月15日] 掲載 [2015年05月08日] ベンダ情報：レッドハット (RHSA-2015:0675) を追加ベンダ情報：レッドハット (RHSA-2015:0850) を追加ベンダ情報：レッドハット (RHSA-2015:0851) を追加 [2015年08月03日] ベンダ情報：レッドハット (RHSA-2014:0400) を追加 [2015年08月10日] ベンダ情報：レッドハット (RHSA-2014:0195) を追加ベンダ情報：レッドハット (RHSA-2014:1725) を追加ベンダ情報：レッドハット (RHSA-2014:1726) を追加ベンダ情報：レッドハット (RHSA-2014:1727) を追加ベンダ情報：レッドハット (RHSA-2014:1728) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.2:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.3:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.3.0:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.5:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.4:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.8:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.6:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.0:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java::::::::		1.5.5
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.0:::::::*